NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams

For most of its life NIS2 has been a compliance project measured against future deadlines. As of May 2026 it has become an enforcement reality. The first sanctions and proceedings are being published in the member states that transposed the directive early, and the pattern they establish is instructive precisely because it is unglamorous. Authorities are not opening with sophisticated audits of supply chain risk management maturity. They are opening with the basics: did you register, did you name a point of contact, did you notify the incident on time.

This matters for how compliance teams should sequence their work. The directive's substantive obligations under Article 21, the risk management measures, including supply chain security, are the part that takes the longest to operationalize. But the early enforcement signal says the procedural obligations, registration and timely notification, are what authorities reach for first, because they are objectively verifiable. An entity either registered or it did not. An incident was either reported within the window or it was not. There is no maturity judgment to make.

The escalation path from these procedural failures to substantive scrutiny is clear, though, and the entities best positioned for what comes next are the ones already producing the evidence that the substantive obligations are operating. This post analyzes the early enforcement pattern across the leading member states and lays out the evidence program that survives the move from procedural to substantive review.

TL;DR

• By May 2026, the first NIS2 enforcement actions are surfacing in early-transposing member states, concentrated on procedural failures rather than substantive risk management deficiencies.
• In Germany, the BSI issued formal notices to entities (reported as 47 in Q4 2025) primarily for failing to register and to designate a point of contact, prioritizing energy and digital infrastructure; the registration deadline was March 6, 2026, and BSI estimated roughly 18,500 companies missed it.
• France has issued formal warnings to entities lacking minimum measures, and Italy has begun sectoral inspections of regional public administrations.
• Fine ceilings are substantial: up to EUR 10 million or 2% of global turnover for essential (particularly important) entities, and up to EUR 7 million or 1.4% for important entities, whichever is higher.
• Beyond fines, authorities can seek a temporary management ban on individuals with managerial responsibility for repeated non-compliance.
• The defensible position is to treat registration and notification readiness as table stakes, then build continuous evidence that Article 21 measures, especially supply chain security, are actually operating.

What the early proceedings show

The enforcement picture in May 2026 is one of early-transposing states moving first and predictably.

In Germany, the BSI has been the most visible. Reported figures indicate the BSI issued formal notices to 47 entities in the fourth quarter of 2025, primarily for failure to register in the national NIS2 entity register and failure to designate a point of contact. The agency prioritized energy sector entities and digital infrastructure providers. No major fines had been levied at the point of reporting, but the procedural escalation path was established. The registration deadline in Germany was March 6, 2026, and the BSI estimated that roughly 18,500 companies missed it, which sets the population that registration-based enforcement can draw from.

In France, the reported posture is formal warnings to entities found without minimum measures in place, a step short of financial penalty but a documented enforcement action nonetheless. In Italy, the authorities have initiated sectoral inspections of regional public administrations, an audit-led approach focused on a defined sector rather than individual notifications.

The common thread is that authorities began with what is cheapest to verify and hardest to dispute. Registration status and point-of-contact designation are binary. The presence or absence of minimum measures is more judgment-dependent, which is why France's warnings precede fines. Sectoral inspections, as in Italy, are the bridge to substantive review.

The penalty structure behind the proceedings

The reason these early, procedural actions deserve attention is the size of the penalties they can eventually feed into. NIS2 sets fine ceilings that member states must implement as a minimum.

For essential entities, sometimes rendered as particularly important entities in national transpositions, the ceiling is at least EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is at least EUR 7 million or 1.4% of worldwide turnover, again whichever is higher. The turnover-linked alternative is what makes these meaningful for large organizations; for a multinational, 2% of global turnover dwarfs the fixed ceiling.

The financial penalty is not the only consequence. Where an entity repeatedly fails to comply with enforcement orders, the competent authority can request a temporary ban on a natural person discharging managerial responsibilities, prohibiting them from exercising managerial functions in the entity. NIS2 deliberately places accountability at the management level, and this measure is its sharpest expression. A CEO who treats NIS2 as a delegated IT matter is exactly the profile the management-ban provision is aimed at.

From procedural to substantive: where this goes

The early actions are procedural, but the directive's substance is in Article 21, and the enforcement trajectory points there. Once registration and notification compliance is established as the baseline, authorities will move to whether the risk management measures are operating. Three of those measures touch the software supply chain directly and are worth singling out, because they are the ones that require continuous evidence rather than a one-time attestation.

Supply chain security. Article 21 requires entities to address security in their relationships with direct suppliers and service providers, considering the specific vulnerabilities of each supplier and the quality of their products and security practices. An authority reviewing this will not accept a policy document alone; it will look for records showing the supplier oversight described in policy actually produced findings and actions during the review period.

Vulnerability handling. Entities must have processes to identify, assess, and address vulnerabilities, including those introduced through the supply chain. The evidence is the flow from finding to triage to remediation, with timelines.

Incident reporting on the Article 23 timeline. Significant incidents must be notified within 24 hours of awareness (early warning), with a more detailed notification within 72 hours and a final report within one month. The procedural enforcement happening now is about whether entities meet this clock. The substantive review that follows will ask whether the entity can actually detect, scope, and characterize a supply-chain-originated incident fast enough to meet it.

What defensible evidence looks like

The following is an illustrative mapping, not a configuration, of NIS2 obligations to the artifacts an authority is likely to ask for.

# Illustrative NIS2 evidence map — not a configuration
Registration & POC        -> registration confirmation, named contact, renewal record
Supply chain security     -> supplier/component inventory (SBOMs), supplier risk
                             assessments, review cadence records, remediation actions
Vulnerability handling    -> finding -> triage -> remediation flow with timestamps,
                             SLA adherence per severity
Incident reporting (A.23) -> detection records, scope assessment, 24h/72h/1mo
                             notification artifacts tied to the underlying findings
Governance (management)   -> security report cadence to management body, training
                             records, escalation decisions

The procedural rows are satisfied by documents the authority can check quickly. The substantive rows, supply chain security and vulnerability handling, are satisfied only by operational records that accumulate over time. An entity that generates these as a byproduct of running its security program is in a far stronger position than one that assembles them reactively when an inspection is announced.

What to do Monday morning

1. Confirm registration and point-of-contact status in every member state where you operate. This is the obligation authorities are enforcing first, and it is the cheapest to fix. If you missed a national deadline, registering late is better than not registering.
2. Stand up incident-notification readiness against the 24/72-hour clock. Define who declares a significant incident, how the early warning is filed, and where the supporting findings come from. Rehearse it; the clock is unforgiving.
3. Build a supplier and component inventory. Generate SBOMs for the systems in scope so that the supply chain security measure has an inventory to operate on. Without it, the substantive review has nothing to examine.
4. Make the vulnerability flow auditable. Ensure findings carry timestamps from discovery through triage and remediation, with severity-based SLAs you can show adherence against.
5. Get the management body on the record. Establish the reporting cadence, capture the training, and log escalation decisions. The management-ban provision makes this personal for leadership.
6. Run the evidence map as a gap analysis. Walk each row above and identify which artifacts you could produce today versus which you would have to assemble. The gaps are your roadmap.

Why this keeps happening

The early procedural failures are not a sign that organizations do not take NIS2 seriously. They are a sign that the directive's scope expanded the regulated population far beyond the entities that previously had mature compliance functions. Many of the 18,500 German companies that missed registration are organizations that were not in scope under the original NIS Directive and had no prior obligation. The first enforcement wave is, in large part, the regulator and the regulated population discovering each other.

The structural issue beneath the supply chain measure is more durable. Article 21 pushes security expectations into supplier relationships that were previously governed only by contract, and contracts are not evidence that controls operate. An entity can have a contractual right to require supplier security practices and still be unable to show an authority that it exercised that right and acted on what it found. The gap between contractual rights and operational evidence is where substantive enforcement will eventually find purchase, and closing it requires producing supplier oversight records continuously rather than asserting them.

The structural fix

The substantive obligations under Article 21 reward entities that generate evidence as a matter of operation. Safeguard's SBOM generation produces the supplier and component inventory the supply chain security measure depends on, and the third-party risk management view aggregates components and findings to each upstream source so supplier oversight produces records rather than assertions. The vulnerability management flow ties findings to the SBOMs that contained them with the timestamps an Article 23 narrative needs, and policy as code lets the controls be expressed and enforced consistently across member-state requirements. For the overall posture, the supply chain compliance workflows keep this evidence current.

This does not make an entity compliant by itself; registration, governance, and notification discipline are organizational obligations no tool fulfills. What it does is ensure that when procedural enforcement gives way to substantive review, the supply chain security and vulnerability handling measures have the operational evidence behind them rather than a policy document and a contract.

What we know we don't know

The specific figures in the early reporting, including the 47 German formal notices and the 18,500 missed registrations, are drawn from secondary reporting and BSI estimates rather than a consolidated official enforcement register, and they should be read as reported rather than as a definitive tally. It is also not yet clear how aggressively authorities will move from procedural notices to financial penalties; as of the May 2026 reporting, the German actions were notices rather than fines, and the trajectory to penalty is inferred from the escalation provisions rather than from levied sanctions. Finally, member-state transposition remains uneven, with some states facing reasoned opinions for delay, so the enforcement pattern visible in Germany, France, and Italy is the leading edge rather than the EU-wide norm. Compliance teams should plan against the directive's text and the leading states' posture, while treating the precise numbers as provisional.

References

• NIS2 Enforcement 2026: BSI Actively Auditing — ADVISORI
• NIS2 Directive Transposition Tracker — ECSO
• NIS2 Penalties: Fines Up to 10 Million EUR Explained — Orizon
• Germany Implements NIS2: Immediate Effect, Broad Scope, Near-Term Registration — Reed Smith
• NIS2: Fines and Implications Explained — Hornetsecurity

Internal reading:

• What is an SBOM
• Third-party risk management
• CVE, CWE, EPSS, KEV
• Policy as code
• Supply chain compliance
• Compliance for the CISO